Configuring the password validation details request control ACI - PingFederate - 10.2

PingFederate Server

bundle
pingfederate-102
ft:publication_title
PingFederate Server
Product_Version_ce
PingFederate 10.2
category
Product
pf-102
pingfederate
ContentType_ce

When connecting to PingDirectory, configure the password validation details request control Access Control Instruction (ACI) to provide user-friendly messages when users fail to change or reset their passwords through the self-service account management capabilities in any HTML Form Adapter instances that use the datastore.

For self-service password management, where the user knows the current password and wants to update it, the service account of the datastore must have the password validation details request control ACI. For self-service account recovery, where the user wants to define a new password after forgetting the current password, the user account needs the same ACI.
  1. Create LDIF files to capture the following ACI information.
    OID
    1.3.6.1.4.1.30221.2.5.40
    Name
    Password Validation Details Requerst Control
    Permission
    read

    The following examples show the example file contents for change password and password reset.

    aci_toSvcAccount_forChangePassword.ldif
    # ACI to service account for change password
    dn: uid=ssoDataStore,ou=ServiceAccounts,dc=example,dc=local
    changetype: modify
    add: aci
    aci: (targetcontrol="1.3.6.1.4.1.30221.2.5.40")(version 3.0; acl "Access to the Password Validation Details Request Control"; allow (read) userdn="ldap:///uid=ssoDataStore,ou=ServiceAccounts,dc=example,dc=local";)
    aci_toUsrAccount_forPasswordReset.ldif
    # ACI to a user account for password reset
    dn: uid=user.7,ou=People,dc=example,dc=local
    changetype: modify
    add: aci
    aci: (targetcontrol="1.3.6.1.4.1.30221.2.5.40")(version 3.0; acl "Access to the Password Validation Details Request Control"; allow (read) userdn="ldap:///uid=user.7,ou=People,,dc=example,dc=local";)
    Note:

    For demonstration purposes, this sample LDIF file only targets one user. You can use other LDIF syntax to widen its coverage to include multiple users.

  2. Use the ldapmodify command to configure the required ACI.
    $ ldapmodify -f <path>/aci_toSvcAccount_forChangePassword.ldif 
    -h <host name> 
    -p <LDAP port> 
    -D <LDAP bind username> 
    -w <LDAP bind password>
    $ ldapmodify -f <path>/aci_toUsrAccount_forPasswordReset.ldif 
    -h <host name> 
    -p <LDAP port> 
    -D <LDAP bind username> 
    -w <LDAP bind password>
    Note:

    Line breaks are inserted for readability only.